Category Archives: Uncategorized

Foiling Nimda

Nimda and Code Red are IIS worms. As an Apache server administrator, you are not vulnerable, but they do fill up your log files. Here are a few techniquest to prevent that.

One: Apache::CodeRed. Find it at
http://cpan.org/modules/by-module/Apache/ Easy to install, easy to
configure. But needs mod_perl, so if you don’t have that, you’re out of
luck.

Also, I have a hacked version of this, which adds the
address to my firewall deny list. I think I should probably leave that
as an exercise, but basically you have it call a suid script, which
takes an IP address as the argument, and adds a host to your firewall.
Presumably you could do this from a CGI program as well, and invoke that
thus:

Action codered /cgi-bin/code_red.cgi
<LocationMatch "/(default.ida|msdac|root.exe|MSADC|system32)/">
    SetHandler codered
</LocationMatch>

The cgi would look something like:

#!/usr/bin/perl
my $ip = $ENV{REMOTE_ADDR};
`/usr/bin/BLOCK $ip`;
print "Content-type: text/htmlnn";
print "bye, now.";

This will get rid of error log entries, as it will be a valid URL. This
is probably my most recommended approach, unless you want to use
Apache::CodeRed, which also sends email to the domain contacts and ISP
contacts, which is perhaps the best thing to do, but generates a lot of
bounce messages.

Note that even if you don’t add them to your firewall, the above script can be used, minus lines 2 and 3, to eliminate the error messages. And, in conjunction with the “don’t log” recipe below, can remove the problem.

Two: Conditional logging. See tutorial at
http://httpd.apache.org/docs/logs.html#conditional or, for the recipe
version, you need the following:

SetEnvIf REQUEST_URI "default.ida" dont-log
CustomLog logs/access_log combined env=!dont-log

As noted previously, this only covers the access log. The error log is
trickier. One way to handle this is to actually redirect these requests
to a virtual host, with a /dev/null’ed error log. That is how I handled
it before I started firewalling them.

However, this, in conjunction with the recommended CGI program will
eliminate all log entries other than the initial access to the CGI
program, which can also be eliminated if you use the conditional logging
trick.

Note two things about the firewall thing. If you have a busy site, this
is *NOT* recommended, as it will cause your firewall list to grow to an
absurd size. I’m doing this on a home dsl account. Two, if you firewall
them, you’ll get one entry in the error log, perhaps, but no more. There
will be log entries in your firewall log, probably. These are far more
satisfying. Reset your firewall deny list periodically.


Follow-up: Ken Coar notes that you should also check out EarlyBird.

Surreal tech support situation

One of my customers hosts their web site on a Mindspring server, which was bought by Earthlink at some point. The site is running on Apache. The customer had me set up password authentication for a subdirectory, and it was necessary for me to do this with an .htaccess file, which was easy enough. However, since ServerName is apparently set incorrectly in the configuration, they were having the problem described in the FAQ, where you get asked for your password twice, and end up on a hostname that is not what you typed in.

I called EarthLink, and talked with two different support reps before I could get someone that even acknowledged that the problem was happening – the first guy simply would not admit that it was happening. I explained the problem to him (the second guy), told him how to solve the problem, and gave him the URL for the FAQ where it is described. (http://httpd.apache.org/docs/misc/FAQ.html#prompted-twice) After putting me on hold for a lengthy period of time, apparently talking to other experts, he came back and told me that the problem was beyond their expertise to deal with. He encouraged me to read the .htaccess file tutorial on the Apache web site at apache.org. (http://httpd.apache.org/docs/howto/htaccess.html)

Now, for those of you who don’t already know, the reason that this was so very surreal is that I wrote the .htaccess tutorial on the Apache web site. I’m pretty sure that the tech support guy did not believe me when I told him this, but, honest, I really did. And, of course, I’m no closer to having a solution to the problem, because it’s something that has to be done in the main configuration file. ServerName is set incorrectly, and I would need access to the main server config file to fix that, or to set UseCanonicalName off, which is the other recommended solution.

Hopefully, I’ll get someone on the phone next week that believes me, and is willing to implement the recommended solution.

Here, just take it

By the way, in case anyone cares (yes, a few people have asked!) the code that is posted to this web site is released under my proprietary HJTI license. The complete text of this license follows:

————————
Here, just take it.
————————

For those of you who get your panties in a bunch about correct legal phrasing, here it is again:

—————————-
This code is explicitly placed in the public domain. Bend, spindle, and mutilate. Caveat Emptor. YMMV. BYOB. IANAL. Have a nice day.
—————————-

Clear?

Apache Web Server Administration, by Charles Aulds

Linux Apache Web Server Administration
Charles Aulds
Craig Hunt Linux Library
Sybex Press

Well, I tried to be very critical of this book, because, after all, I want you to buy my book. But it really is very good.

It has thorough converage of all important topics. I found a number of places where information was wrong, but most of these were probably attributable to typesetting errors, rather than author errors. Missing parentheses, for example.

The examples were, for the most part, excellent, with good supporting explantions. Diagrams were good too – not gratuitous, but actually useful in most cases.

If I’m going to complain about something, it would be that there is no clear distinction made of when he’s talking about 1.3, and when 2.0. Or is it all 2.0? I’m really not sure. Some of it appears to be 1.3 specific, but other places he’s very clearly talking about 2.0, although this is not mentioned in the text, and might not be clear to other folks.

Overall, recommended and thorough.

(The book was given to me by the publisher, but I did not receive any other incentive to say nice things about it.)

Apache::VhostDB, sort of

I wanted to write a mod_perl handler that would read vhost configurations out of a database. However, it made more sense, at least to get something working quickly, do to this as a <Perl> section in the configuration file

I guess this could be done as a mod_perl handler instead, and I hope to eventually do it that way (mostly as an exercise, actually) but here it is the way I have it working:

#
#
# create table vhosts
#   (ID  int(11) not null auto_increment,
#    servername  varchar(255),
#    serveralias  varchar(255),
#    docroot      varchar(255),
#    scriptalias  varchar(255),
#    primary key (ID)
#   )
#
#  Note: serveralias can be a space-separated list. Change the field to
#  a text field if you have more than 255 characters of aliases.
#        scriptalas should have a trailing slash
#

<Perl>

use DBI;

my $db       = 'DBI:mysql:vhosts';
my $login    = 'www';
my $password = 'www';

my $dbh = DBI->connect( $db, $login, $password );
my $sth = $dbh->prepare( "SELECT servername, serveralias,
                                 docroot, scriptalias
                            FROM vhosts " );
$sth->execute;
$sth->bind_columns( my ( $servername, $serveralias, 
                          $docroot, $scriptalias ) );
while ( $sth->fetch ) {
    push @{$VirtualHost{'*'}},  {
        ServerName   => $servername,
        ServerAlias  => $serveralias,
        DocumentRoot => $docroot,
        ScriptAlias  => "/cgi-bin/ $scriptalias",
    };
}
$sth->finish;
$dbh->disconnect;

</Perl>

This goes in httpd.conf, and requires mod_perl. And, of course, you can add additional fields if you need them, like ErrorLog and CustomLog.

Christmas wines

Well, I seem to have neglected my duty, and now I seem to be forgetting what I should have taken good notes on.

In summary, the J Pinot Noir was disappointing. When I pay that much for a wine, I expect it to thrill. However, it was clear from the first taste that this was not a wine to chug, but one to squirrel away and have next Christmas, or the one after that. Shame.

The Sauvignon, on the other hand, was thrilling. Anise. Lots and lots of anise. This was very very weird. But fascinating. It was fruity, too, but it was unrecognizable, like strange tropical berries and currants, but not quite. I did not know a sauvignon could be that interesting.

I need to make sure to tell the folks at the T.C. about it, and give them my compliments on their assistance in picking.

Choosing a distro, chapter 4

OK, last chapter for today.

BSD did not like me. The X configuration thingy hung every time. Why? I have no idea. But I did not really feel like wasting any more time on it.

And so, I seem to have settled on (I cringe to admit it) Red Hat. The installation (8.0) was the easiest OS I have ever installed. I was very very impressed. It detected hardware without a hitch, installed quickly, and required a bare minimum of hand-holding.

Now, I have never been a big fan of Red Hat, but, wow, this was impressive. If you’re looking for something that Just Works, this very well may be it. I have been growing gradually more frustrated with Linux, because of how hard it is to install stuff. Well, this is not that.

Please understand that these systems are training systems, intended to be easy to use for beginners, and, most importantly, easy to rebuild. I don’t know that I’ll be converting my main development machines to Red Hat any time soon. But, you never know.

We both appear to be misunderstood

Hacking Log 2.0

Well, Andy, I seem to have been just as misunderstood as you, and I humbly apologize for appearing to take pot-shots at you. I really did not mean to offend, either by my comments here, or my comments on the mailing list.

You have good ideas, and people are probably overly anxious to criticize, when they could spend that time making constructive contributions. And, without any sarcasm, I admire your passion, your drive, and your obvious desire to get stuff done. It seems that too many of us have lost that over the years.

What I, personally, took umbrage at, was the implication that the processes put in place were there purely to slow down the wheels of progress. You say that you did not intend that implication, and I accept that, and withdraw my comments, with apologies for accusing you of those ideas.

I cannot take up on your offer to fill in those documents and processes, because, clearly, I understand them even less than you do. HTTPd is a world apart from the exciting bleeding-edge projects that go on in the rest of the ASF, and many of us are just as happy it is that way. If nothing else, it makes the books sell better.

I’m sorry I came across as being critical of you personally, or of your obvious passion for the projects that you are part of. As I tried to express on the mailing list, when I ask “why the heck are things the way they are”, I am usually genuinely asking that question, not saying “you are a bad and evil person for making things that way.”

And, just so I’m not disingenuosly hiding behind an alias, I am the guy in the picture there.

Choosing a Distro, chapter 3

Gentoo was a complete joke. Of course, perhaps I had the wrong ISO. It was not at all clear from the web site what I wanted. The iso, while it claimed to be a gentoo distro, was also a Unreal Tournament CD that would let you boot and play on any PC. Why is this useful? I’m not sure. But it appears that in order to install Gentoo, you have to know as much about your system as used to be the case in the RedHat 4 days. That’s for the birds.

Choosing a distro, chapter 2

Even though I’ve ben using Slackware for some time, I can’t claim to like it. It has taught me a lot, but there are days when this is a bad thing. I want stuff to Just Work.

Well, it gave it a shot as my distro, but it failed too. Primarily because I could not get X working right. I’ve worked on this before, and just can’t get it higher than 800×600. This may seem like a small deal, but this is a classroom, and people expect a certain amount of usability from the machines.

So, on to BSD and Gentoo.